WordPress

WordPress Releases 6.02 Security Vulnerability Update

WordPress has released an update addressing bug fixes and security patches to tackle three vulnerabilities rated from severe to medium severity.

The updates may have been automatically downloaded and installed, so it’s crucial to verify if the website has been updated to version 6.02 and to ensure that everything is functioning as expected.

Bug Fixes

The update includes twelve fixes for the WordPress core and five for the block editor.

One significant improvement is to the Pattern Directory, designed to help theme authors serve patterns relevant only to their themes. This change aims to make the Pattern Directory more appealing and user-friendly for theme authors and provide a better experience for publishers.

"Many theme authors want to have all core and remote patterns disabled by default using remove_theme_support('core-block-patterns'). This ensures they are serving only patterns relevant to their theme to customers/clients.
This change will make the Pattern Directory more appealing/usable from the theme author’s perspective."

Three Security Patches

The first vulnerability is a high-severity SQL Injection vulnerability. This type of vulnerability allows an attacker to manipulate the website’s database and perform actions like adding, viewing, deleting, or modifying sensitive data.

WordPress 6.02 patches a high-severity SQL injection vulnerability, which requires administrative privileges to execute.

“The WordPress Link functionality, previously known as ‘Bookmarks,’ is no longer enabled by default on new WordPress installations. Older sites may still have this functionality enabled, meaning millions of legacy sites are potentially vulnerable, even if they are running newer versions of WordPress. Fortunately, we found that the vulnerability requires administrative privileges and is difficult to exploit in a default configuration.”

The second and third vulnerabilities are described as Stored Cross-Site Scripting (XSS), one of which reportedly does not affect the majority of WordPress publishers.

Moment JavaScript Date Library Updated

Another vulnerability was fixed in a JavaScript data library called Moment, used by WordPress. This vulnerability has been assigned a CVE number and is documented as a bug fix in WordPress.

Action Steps

The update should roll out automatically to sites upgraded from version 3.7 onwards. It is advisable to verify if the site is operating correctly and to check for any conflicts with the current theme and installed plugins.

Citations

  • WordPress Core 6.0.2 Security & Maintenance Release – What You Need to Know
  • Allow remote pattern registration in theme.json when core patterns are disabled.

Featured image by Shutterstock/Krakenimages.com

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button